When WikiLeaks released Vault7, a series of leaks on the CIA’s hacking tools, people who use secure messaging apps were alarmed. The press release accompanying the trove of documents stated that the CIA was able to “bypass” the encryption of secure messaging tools—including Signal—“by hacking the ‘smart’ phones that they run on and collecting audio and message traffic before encryption is applied.”
This led some to believe that the CIA broke Signal, compromising their favorite secure messaging app. But a closer look reveals that the situation isn’t as dire as it seems. The CIA does not have a way around the cryptographic elements of the app. “They did not break Signal any more than looking at your phone over your shoulder breaks Signal,” said Nicholas Weaver, a computer security researcher at the International Computer Science Institute.
The CIA and other government agencies can circumvent messaging apps if they compromise your smartphone. But that’s not something they can do on a mass scale at the push of a button. Joseph Lorenzo Hall, chief technologist at the Center for Democracy & Technology, says that the kind of bulk surveillance we learned about through Edward Snowden’s revelations is now much more difficult to accomplish thanks to the proliferation of end-to-end encryption (including HTTPS, iMessage, and Signal).
Open Whisper Systems, developers of the Signal app and the Signal protocol used by WhatsApp (and others) wrote a series of three tweets saying as much:
The CIA/WikiLeaks story today is about getting malware onto phones, none of the exploits are in Signal or break Signal Protocol encryption. The story isn't about Signal or WhatsApp, but to the extent that it is, we see it as confirmation that what we're doing is working. Ubiquitous e2e [end to end] encryption is pushing intelligence agencies from undetectable mass surveillance to expensive, high-risk, targeted attacks.
Weaver says the term “bypass,” which showed up in the WikiLeaks press release, isn’t inaccurate, even though it’s misleading. “It does bypass encryption, but it actually means the encryption is good, so this is the only way left,” he says.
No app or tool is foolproof. But Hall both points out that hacking target phones and installing tools surreptitiously is an expensive, risky, and time-consuming process. That said, governments have been known to target both activists and terrorists, and they are definitely capable of breaking into the underlying operating system and capturing information on the device. So it’s not a good idea to share secret information about your plans to overthrow dictatorships on Signal, or to blast out incriminating information when you’re on the run from the state. If a government agency breaks into your device and your phone operating system is compromised, no messaging app or tool can protect your information.
For phones that haven’t been compromised, Signal has a myriad of benefits over many messaging apps. (Learn how to set it up here.) It’s impervious to Stingrays, or cell-site simulators that trick phones into connecting to them and capture the content of their communications. “Signal does not use your actual phone. It’s mimicking a phone in software, and because it’s not using the radio on your phone that’s associated with your cellular network, it can’t be tricked,” says Hall. Since Signal uses your internet connection rather than your cell signal, it bypasses any kind of eavesdropping technique designed for cellular or mobile networks.
Another benefit is that Signal keeps extremely limited data on its users. When Open Whisper Systems received a subpoena from the Eastern District of Virginia requiring it to provide information about two Signal users for a federal grand jury investigation, the only information the company had was the date and time one of the two users registered with Signal, and the last date of that person’s connectivity to the service.
So, should Signal users do anything different in light of the leaks? If you use Signal on an iPhone, Nexus, or Pixel, Weaver recommends looking at your threat model. If you don’t think you’re at risk of the CIA or another government risking a $1.5 million zero-day exploit to access your phone, you can rest easy. But he recommends other Android users toss their phones in the trash. “Most Android phones don’t meet the security requirements of a teenager,” he says. But that’s not exactly a secret. These phones have long been criticized for slow updates and out-of-date software that makes users vulnerable to a whole host of publicized security flaws.
It’s always a good idea for users to update their phones and apps to the newest versions, if possible. In fact, Apple told Tech Crunch that many of the iOS exploits in the WikiLeaks dump have already been patched—and it’s working on the rest of them.
But vendors can only create patches for flaws they know about, and another thing that makes both Android and iOS users vulnerable to security flaws is when the CIA holds onto these vulnerabilities rather than disclosing them. In a blog post, the Electronic Frontier Foundation points out that stockpiling these vulnerabilities rather than ensuring that they are patched makes everyone less safe.